Valdis Dombrovskis 
Vice-President for the Euro and Social Dialogue, Financial Stability, Financial Services and 
Capital Markets Union 
European Commission 
Rue de la Loi 200 
1049 Brussels, Belgium 
7 April 2017 


Dear Vice-President Dombrovskis, 


We are writing to you regarding the European Banking Authority’s (EBA’s) final draft Regulatory 
Technical Standards (‘draft standards’) on Strong Customer Authentication and Secure 
Communication, under the revised Payment Services Directive (PSD2). The draft standards are 
currently being examined by the European Commission. 


Our coalition represents a range of sectors and key players in the payments value chain. We 
welcome the changes made by the EBA as a result of a constructive dialogue with the industry 
and MEPs to address their significant concerns. In order to promote secure payments in the EU, 
while safeguarding the growth of the e-commerce and the Digital Single Market, we call 
on the European Commission to accept the positive changes proposed by the EBA but also 
to work with the EBA to modify the draft standards to address the points outlined below. 


Firstly, we commend that the EBA has now acknowledged a Transaction Risk Analysis (TRA) 
which reflects the industry's existing best practice to effectively prevent fraud in online payments 
through a risk-based approach’. This approach guarantees high levels of security, whilst allowing 
for a frictionless experience for customers shopping online. The draft standards allow banks and 
payment service providers (PSPs) to perform the TRA, while the role of merchants is not explicitly 
acknowledged?. Merchants have unique data points which provide essential warning signs to 
prevent fraud, for example information on customer behaviours, browsing and purchasing 
patterns. Any omission of merchants from the TRA would be a missed opportunity to improve 
security and reduce fraud. 


Secondly, we support the EBA’s move towards a results-oriented approach by allowing those with 
lower fraud rates to waive Strong Customer Authentication® up to a certain transaction value. This 
approach may also be applied for consecutive contactless transactions. Nevertheless, the EBA’s 
approach raises several questions, for instance as to how the fraud thresholds for the transaction 
amounts are calculated or the evidential basis on which they were set. More consideration needs 
to be given to selecting appropriate reference fraud rate(s) which industry can support with useful 
data. 


We appreciate that the EBA has had to develop a position on these complex issues to a very tight 
deadline that precluded a full consultation with impacted stakeholders on concrete technical 
details. While further modifications are necessary, we believe that seeking additional clarity 
on the EBA draft standards through industry bodies and industry guidance will be more effective 
than attempting to amend significant portions of the draft text. Industry players are ideally placed 


1 According to CleverAdvice study (2016; https:/www.ecommerce-europe.eu/press-item/3870/), fraud rates for online 
transaction value of cards issued have declined at an average rate of 13.5% per year, an overall decline of 51%. In 
France and Italy, fraud rates stood at 0.15% in 2014. 

2 As per Article 74.2 Comments [114] and [115] of Summary of responses received within the Final Report on draft 
Regulatory Technical Standards on Strong Customer Authentication (SCA) and Secure Communication, the EBA notes 
that merchants are already subject to bi-lateral agreements with their card acquirer which enables them to adopt their 
own TRA. 

3 SCA requires the customer to authenticate a payment by using two elements, for instance by utilizing additional codes 
generated through their card reader or received on their mobile device. SCA may make sense for some high risk 
payments but it causes disproportionate and unnecessary friction to the customer shopping experience for low-risk 
transactions which are not necessarily low value. 


to assist in resolving these practical issues which are crucial for effective implementation 
and delivery of the key legislative objective - a reduction in fraud rates. We fear that a prolonged 
debate may only create further uncertainty and confusion for consumers and businesses. 


We would therefore encourage the Commission to host a multi-stakeholder workshop to discuss 
in more detail how the current draft standards could be improved on Strong Customer 
Authentication. There is significant willingness across the industry to work collaboratively 
to develop the standards in a constructive way for the reduction of fraud and the best possible 
implementation of the PSD2. 


In conclusion, while there are some areas that require clarification and change, we broadly 
support the key principles and aims of the draft Regulatory Technical Standards. We urge 
the European Banking Authority, the European Commission, the European Parliament and 
the Council of the EU to seek a conclusion that doesn’t materially change these principles, whilst 
working with the industry to ensure that the standards are workable, measurable and enforceable. 


The undersigned 19 European and national organisations representing e-commerce, small 
merchants, start-ups, ICT and digital technology, payments and FinTech, cards, and leisure and 
travel industries 
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List of co-signing organisations and links to their websites: 


A4E (Airlines for Europe) 


British Retail Consortium 
Bundesverband E-Commerce und Versandhandel Deutschland e.V (BEVH 











Choice in eCommerce 
Computer and Communications Industry Association (CCIA 
DigitalEurope 


E-Commerce Europe 
Eurocommerce 








European Card Payment Association (ECPA) 

European Digital Media Association (EDiIMA) 

European eCommerce and Omni-Channel Trade Association (EMOTA) 
European Payment Institutions Federation (EPIF) 

European Technology and Travel Services Association (ETTSA) 
Expedia.de 

Netcomm 

Payments UK 

TechUK 

The UK Cards Association (UK Cards) 


Visa Europe 





